In the past year, the threat landscape has undergone a major shift, changed the very complexion of security attacks. While under-the-radar, data-stealing malware is still common, a bold new crop of ransomware actors eschew such covert action by simply exclaiming they have encrypted, and are ransoming, your data – in a much quicker path to profits. Forcepoint recently released its 2016 Global Threat Report detailing the latest threats gathered from from 155 countries globally. In an interview with ETCIO, Carl Leonard, Principal Security Analyst, Forcepoint elucidates the key findings, analyses the trends and provides business and technical recommendations for navigating the ever-changing threat landscape.

The Forcepoint 2016 Global Threat Report underlines the fact that insider threat is looming large on the enterprises. How do you read the situation in the enterprise space?

Forrester recently conducted a survey that revealed that more than 50 percent data breaches in 2015 were due to the accidental insider. Data breaches caused by insider threats continue to climb and the ranks of “accidental insiders,” or individuals who inadvertently contribute to data breaches through error or misuse of resources are growing rapidly.

Preying on globalization and more dynamic business relationships and supply chains, attackers are targeting insiders in victim and adjacent organizations, often gaining access to systems by manipulating staff into what appears to be legitimate activity that is actually designed to steal their credentials. With these credentials in hand, criminals can freely move about networks, accessing and removing files unnoticed until it is too late.

Nearly 80% of security remains focused on perimeter defenses, with less than half of organizations having dedicated budget to insider threat programs. More sophisticated technology combining data loss prevention (DLP) and threat behavior analytics that correlate with other IT and business systems (like badging and IP log records) is now evolving to determine whether a threat is from a true insider or a malicious masquerader using stolen credentials.

As organizations move to confront insider threats, they must realize that routine business events can dramatically increase risks of insider incidents. For instance, there was an organization undergoing M&A activity, where personnel affected by downsizing were observed violating their generous separation agreements by trying to exfiltrate proprietary company information before their departures. This activity was prevented, yet could have had costly business repercussions if it were successful. Policy, process, technology control, risk management and monitoring help managing insider threat.

Forcepoint’s Special Investigations (SI) team has discovered a new botnet campaign that its calling “Jaku”. Can you tell us something about it?

JAKU is a global botnet named after the harsh desert planet in Star Wars: The Force Awakens and exhibits a split personality. Its attack infrastructure seeks to both compromise victims at large scale, in order to co-opt and herd them for mass effect, and simultaneously conduct narrow, highly-targeted attacks on individual victims, seeking to harvest sensitive files, profile end-users and gather valuable machine information.

What is Forcepoint Security Labs doing to help customers fight back against the “Locky” ransomware?

Locky is delivered in Microsoft Office files that contain malicious macros. While Forcepoint’s technology platform recognized the threat and began blocking execution of the malicious content, the SI team set about analyzing how Locky forcibly encrypted files, in order to defeat this action. By studying how Locky interfaced with its command and control servers to generate and retrieve encryption keys, Forcepoint’s SI team reverse-engineered how the malware worked and blocked access to domains needed to complete the key process, rendering Locky harmless on systems that would have otherwise been encrypted. Locky’s controllers fought back by instructing Locky to access new crimeware domains, but Forcepoint’s SI team matched this move, blocking the new domains and negating the malware again.

While specialist teams like Forcepoint’s can thwart the arrival of ransomware, organizations’ best bet is to put strong data back-up postures in place that provide the luxury of simply ignoring ransom demands and seamlessly moving to copied files in the event of data loss or destruction.

According to the findings of Forcepoint’s 2016 Global Threat Report, malicious content in email increased 250% in 2015, compared to 2014, driven largely by malware and ransomware. Please help us analyse this trend?

Employees, even in the most restricted and secure workplaces typically cannot be productive without the Web and e-mail, making these mediums ideal for serving up malicious payloads in the form of links to malware-laden Web sites and malicious e-mail attachments. Almost 92% of unwanted (spam, malicious) e-mail now contains a URL and the presence of malicious macros in e-mail is up 44.7%.

We found that overall malicious content in e-mail increased 250% in 2015, compared to 2014, with the Dridex banking malware and various ransomware campaigns largely responsible for the rise.

Cloud computing’s cost, scalability and accessibility have offset security concerns for many enterprises, yet these issues present headaches for many cloud prospects wary of how inconsistent security controls between cloud providers and their own environments could upend data protection. What do you make of this scenario?

Somewhat ironically, CIOs and CISOs holding off on cloud adoption nonetheless find themselves wrestling with the consequences of employees’ independent decisions to use the cloud apps they prefer for personal productivity and convenience. More than 80% of decision-makers feel this “shadow” IT poses severe consequences. Unfortunately, when IT and security teams cannot see data in shadow IT systems, they cannot protect it.

To help prevent breaches stemming from unsanctioned cloud accounts and access, the Threat Report details measures organizations can take to educate users and block the movement of particular files to unauthorized cloud destinations.

Forcepoint’s Office of the CSO taps the expertise of Forcepoint’s own cybersecurity and data protection leaders to help customers create new security strategies, improve existing programs and repel ongoing attacks. Can you highlight some of the security trends spotted by the Office of the CSO (OoCSO)?

In 2015, the OoCSO team saw M&A activity as one of the greatest cybersecurity risk catalysts across industry sectors. Too often, extensive due diligence and confidential proceedings that lay the groundwork for M&A overlook the state of cybersecurity controls in companies party to a deal, opening opportunities for attackers, insiders or others to obtain privileged information or steal trade secrets and other data that could gut the value of a transaction.